How effective security training goes deeper than ‘awareness’

When working in the cyber security industry, it’s easy to exist inside an infosecurity bubble, where buzzwords and acronyms are commonplace in day-to-day conversations. The idea that any computer literate person could be unfamiliar with a term as common as “phishing” seems unthinkable.

But, it’s the reality – an extremely worrying thought when the majority of modern workers use email for a huge share of their communications.

As detailed in Proofpoint’s State of the phish report 2020, a significant number of workers worldwide have little to no understanding of what cyber security professionals may consider basic terminology. In fact, only 61% understood the term phishing, with just 31% familiar with ransomware. There’s yet more grim reading when it comes to modern threats. Just 30% of the global workforce understand the term smishing, and only 25% were familiar with vishing.

These numbers are even less among the younger generation. Far from ushering in a new breed of security-savvy employees, those under 40 are less informed about basic security threats. Just 47% of those aged 18 to 22, and 55% aged 23 to 38 recognised the term phishing, compared with 65% and 66% of those aged 29 to 54, and the over-55s respectively.

This can only suggest a sheer lack of awareness in basic cyber security knowledge. But is this down to complacency? Ineffective methods? Or a language barrier between infosecurity professionals and users?

Whatever the cause, with over half of global businesses experiencing a successful phishing attack last year, this should serve as a stark reminder that a change is needed.

Cyber security training – much more than a box-ticking exercise

One thing is for sure: a complete lack of training is not the issue here. Almost all surveyed organisations (95%) train employees to spot and avoid phishing attacks. However, scratch the surface, and this training has the potential to be ineffective – in frequency, method and scope.

Starting with the latter, almost a third of organisations only train a portion of their users. Targeted training is essential, but it leaves gaping holes in cyber defences if not accompanied by company-wide education.

“Targeted training is essential, but it leaves gaping holes in cyber defences if not accompanied by company-wide education”Adenike Cosgrove, Proofpoint

The frequency of training is also found wanting. While most organisations conduct training on a monthly basis, this amounts to between one and three hours over the course of a year. Just 10% of organisations spend more than three hours per year on this vital task.

Let’s put that into context: The World Economic Forum estimates that between 2019 and 2023, $5.2tn in global value will be at risk from cyber attacks. The majority of the individuals facing these attacks receive just three hours of training in a year. It’s difficult to envisage any other threat, with stakes this high, where those on the front line are so ill-prepared.

To complete the triumvirate, many common training methods are also sub-par.

Just 60% of companies provide any sort of formal education to users, be it in-person or computer-based training. For many, cyber security training amounts to a combination of newsletters, email bulletins, educational videos and user report buttons.

Any approach that raises security awareness should be encouraged. But to put these methods under the umbrella of training is a little misleading. Being aware that a threat exists, through an awareness campaign, is a world away from learning the skills needed to minimise the risk of that threat seeing success.

Cyber security training must place greater emphasis on the why and the how. Why am I a target for cyber attacks? How do my actions impact the security of my organisation? Yes, employees must learn to recognise common threats, but they must also be made acutely aware of their role in defending against those threats – and the consequences of failing to do so.

Should users face the consequences?

We often talk of the consequences of poor cyber security from a business point of view. Rarely do we discuss the consequences of bad practice on individual employees.

That said, the consequence training model is gaining traction. Almost two-thirds of organisations punish users who regularly fall for phishing attacks. Consequences can range from additional in-person training through to official warnings and monetary penalties.

“The consequence training model is gaining traction. Almost two-thirds of organisations punish users who regularly fall for phishing attacks and almost 90% report an improvement in employee awareness following the implementation of a consequence model”Adenike Cosgrove, Proofpoint

It’s a model that divides opinion. Organisations are understandably wary of punishing workers for mistakes – fearing that it may foster negativity around cyber security training. However, proponents of the consequence model believe that without some form of deterrent, users may not take their responsibilities seriously.

While the approach may be up for debate, its effectiveness is not. Almost 90% of organisations report an improvement in employee awareness following the implementation of a consequence model.

The model itself is secondary here. The key takeaway is that time and effort matter. The more hands-on training workers receive, the better they are at spotting phishing attempts.

Organisations must strive to develop training programmes that leave employees equipped with the skills to spot and defend against attacks – before anyone is left to face the consequences.

Creating a security-conscious culture

The goal of any security training programme is to eradicate behaviours that put your organisation at risk. The best way to achieve this is through a mix of the broad and the granular.

Start by cultivating a security-first culture. This means a continuous, company-wide training programme that acknowledges everyone’s role in keeping your organisation safe.

With this as a foundation, you can then provide tailored training to those who are most actively targeted by cyber threats – your very attacked people (VAP). By establishing your VAPs, you can tailor training to specific threats and job roles, address threats with greater certainty, and continually monitor the skill level of those on the front line.

Training should take the form of in-person workshops, computer-based assessments, realistic simulated attacks and general awareness education. Most importantly, this training must be comprehensive, ongoing and responsive to changes in the threat landscape.

There are no quick fixes in cyber security. Building a security-conscious culture takes continued effort and attention.

Cyber criminals are focused – forever honing their skills and techniques. If you’re not doing the same, there can only be one winner.

Adenike Cosgrove is cyber security strategist at Proofpoint’s international business.